Jump to: navigation, search

Howto/Change Directory Manager Password

cn=Directory Manager password is used by FreeIPA installation tools when bootstrapping the PKI installation and for the admin user in the PKI. While the FreeIPA web service itself does not use the password after the PKI is installed as it authenticates itself using a certificate, the password is still used to encrypt the CA certificate stored in /root/cacert.p12 on FreeIPA servers with PKI or to authenticate a new replica with a CA to communicate to the other master and obtaining an installation token for the PKI.

Thus, if the Directory Manager's password is changed, additional updates are required to propagate the change to PKI.


Following procedure needs to be performed on all FreeIPA replicas with PKI.

The procedure below implies that the Directory Manager password was already changed, using the standard means and Directory Server documentation.
Automated in FreeIPA 3.2.2
The following procedure is only applicable to FreeIPA 3.2.1 or older. Since FreeIPA 3.2.2 (and ticket #3594), the procedure is automated as a part of preparing a replica info file by using ipa-replica-prepare.
FreeIPA 3.2.2+
Change the password according to the 389-ds documentation. The rest of the procedure is just for 3.2.1 or earlier.

In the procedure below:

  • $DM_PASSWORD is the new Directory Manager password
  • $KEYDB_PIN is the PIN for PKI certificate storage. It can be retrieved from internal configuration option in /etc/pki-ca/password.conf for Dogtag 9 or from /etc/pki/pki-tomcat/password.conf in Dogtag 10
  • $ALIAS_PATH is a path to PKI certificate storage. Use /var/lib/pki-ca/alias/ for Dogtag 9 and /var/lib/pki/pki-tomcat/alias/ for Dogtag 10
  • $CA_PORT is a port of Directory Server instance where CA database is running. Use 7389 for Dogtag and 389 for Dogtag 10

1. Update LDAP bind password

Configure all replicas to use the new password by editing /etc/pki-ca/password.conf for Dogtag 9 or /etc/pki/pki-tomcat/password.conf for Dogtag 10:


2. Update password of cacert.p12

On all replicas create the password files using the following commands:

# echo -n $DM_PASSWORD > /root/dm_password
# echo -n $KEYDB_PIN > /root/keydb_pin

Important: If you use a text editor instead of echo -n, the files might contain EOL characters. Trim the EOL characters with the following commands:

# tr -d '\n' < /root/dm_password > /root/dm_password.new
# mv /root/dm_password.new /root/dm_password
# tr -d '\n' < /root/keydb_pin > /root/keydb_pin.new
# mv /root/keydb_pin.new /root/keydb_pin

Then re-generate the cacert.p12 file with the following command:

# /usr/bin/PKCS12Export -d $ALIAS_PATH -p /root/keydb_pin -w /root/dm_password -o /root/cacert.p12

3. Update PKI admin password

From one of the replicas change PKI admin password with the following command:

# ldappasswd -h localhost -ZZ -p $CA_PORT -x -D "cn=Directory Manager" -W -T /root/dm_password "uid=admin,ou=people,o=ipaca"

Important: Verify the password with the following command:

# ldapsearch -h localhost -ZZ -p $CA_PORT -x -D "uid=admin,ou=people,o=ipaca" -W -b "" -s base
Multiple servers with PKI
Since PKI database is replicated, this step only needs to be executed just once.

4. Cleanup

Remove password files from all replicas:

# rm /root/dm_password
# rm /root/keydb_pin